Predefined controller-level policies for NiFi
You can review the predefined Ranger policies for NiFi to determine the appropriate policy to assign to a user.
The following table lists the predefined Ranger access policies for NiFi. If you create a custom policy, refer to the Resource Descriptor column in this table to enter the value in the NiFi Resource Identifier field on the New Policy page.
| Ranger controller-level policy | Corresponding NiFi policy name in the Hamburger menu | Description | Resource descriptor |
|---|---|---|---|
| Controller | Access the controller | Allows users to view and modify the controller including Reporting Tasks, Controller Services, Parameter Contexts and Nodes in the Cluster. | /controller |
| Flow | View the user interface | Allows users to view the NiFi UI. | /flow |
| Policies | Access all policies | Allows users to view the policies for all components. | /policies |
| Provenance | Query provenance | Allows users to submit a Provenance Search and request Event Lineage. | /provenance |
| Proxies | Proxy user requests | Allows NiFi and Knox hosts to proxy user requests. Does not
apply to users or user groups. All nodes in your NiFi cluster must be assigned to the
|
/proxy |
| Restricted Components | Access restricted components |
Allows users to create/modify restricted components assuming other permissions are sufficient. The restricted components may indicate the specific permissions that are required. Permissions can be granted for specific restrictions or be granted regardless of restrictions. If permission is granted regardless of restrictions, the user can create/modify all restricted components. Some examples of restricted components are ExecuteScript, List/FetchHDFS, and TailFile. See the NiFi Restricted Components topic for information on the sub-policies. |
/restricted-components |
| Root Group Data | Allows users and the nifi group to view and
delete data from the root group and down the hierarchy unless there is a more specific
policy on a component. |
/data/process-groups/<uuid> |
|
| Root Group Provenance Data | Allows users to view provenance data. | /provenance-data/process-groups/ |
|
| Root Process Group | Allows users to view and modify the root process group including
adding/removing processors to the canvas. This policy is inherited down the hierarchy unless there is a more specific policy on a component. |
/process-groups/<root process group
ID> |
|
| Tenants | Access users/user groups | Allows users to view and modify user accounts and user groups. | /tenants |
